Public key encryption system based on the quadratic residuosity assumption

ABSTRACT

A public-key encryption system. Encryption of a k-bit plaintext m is performed by picking a random generating ciphertext and outputting the ciphertext. N is a non-prime integer (preferably the product of two primes p and q), y is an element in multiplicative group of integers modulo N, and k is an integer larger than 1, Decryption of ciphertext c using private key is performed by recovering such that holds and outputting plaintext m, wherein denotes the 2k-th power residue symbol modulo p, which is defined. Also provided are an encryption device and a decryption device. The encryption scheme provides better bandwidth than the Goldwasser-Micali encryption scheme.

TECHNICAL FIELD

The present invention relates generally to cryptography, and in particular to a public-key encryption system.

BACKGROUND

This section is intended to introduce the reader to various aspects of art, which may be related to various aspects of the present invention that are described and/or claimed below. This discussion is believed to be helpful in providing the reader with background information to facilitate a better understanding of the various aspects of the present invention. Accordingly, it should be understood that these statements are to be read in this light, and not as admissions of prior art.

In 1984, Goldwasser-Micali described a public key encryption scheme; see Shafi Goldwasser and Silvio Micali. Probabilistic encryption. Journal of Computer and System Sciences, 28:270- 299, 1984. The scheme has a particular interest because is proved under the Quadratic Residuosity Assumption, but it is not efficient in terms of bandwidth as each bit in the plaintext is expanded to the size of the composite modulus in ciphertext.

A first tentative to improve the efficiency of such scheme is due to Blum-Goldwasser (Manuel Blum and Shafi Goldwasser. An efficient probabilistic public-key encryption scheme which hides all partial information. In CRYPTO, pages 289-302, 1984). Their scheme achieves a better ciphertext expansion: the ciphertext has the same length of the plaintext plus an integer of the size of modulus. The scheme is proved semantically secure under the unpredictability of output of the Blum-Blum-Shub's pseudorandom generator which resides on factorisation hardness assumption. (See Lenore Blum, Manuel Blum, and Mike Shub. Comparison of two pseudo-random number generators. In CRYPTO, pages 61-78, 1982 and Lenore Blum, Manuel Blum, and Mike Shub. A simple unpredictable pseudo-random number generator. SIAM J. Comput., 15(2):364-383, 1986.) Details about the Blum-Goldwasser scheme can be found in The Foundations of Modern Cryptography by Oded Goldreich, 1997.

After the initial work by Golwasser and Micali, Benaloh and Fisher proposed a first generalisation of the Golwasser-Micali encryption scheme based on a Prime Residuosity Assumption. (See Josh Daniel Cohen Benaloh. Verifiable secret-ballot elections. PhD thesis, New Haven, Conn., USA, 1987, and Josh D. Cohen and Michael J. Fischer. A robust and verifiable cryptographically secure election scheme. In SFCS '85: Proceedings of the 26th Annual Symposium on Foundations of Computer Science, pages 372-382, Washington, DC, USA, 1985. IEEE Computer Society.) The basic idea is to consider as message space Z/eZ for a particular small prime e instead of Z/2Z as in Goldwasser-Micali, so achieving a better ciphertext expansion. The main disadvantage of this scheme is that the decryption algorithm is very inefficient requiring a kind of exhaustive search (requiring then a small value of prime e to be practical).

An improved variant of this latter was given by Naccache and Stern considering e not as a prime but a product of small primes. This allows a faster decryption. (See David Naccache and Jacques Stern. A new public key cryptosystem based on higher residues. In ACM Conference on Computer and Communications Security, pages 59-66, 1998.)

A different approach of the same problem was proposed by Okamoto and Uchiyama who suggested to work with a particular modulus N=p²q. This choice improves the bandwidth using as message space Z/pZ. (See Tatsuaki Okamoto and Shigenori Uchiyama. A new public-key cryptosystem as secure as factoring. In EUROCRYPT, pages 308-318, 1998.) Unfortunately, the scheme is vulnerable to a chosen-ciphertext attack that allows to recover the modulus factorisation, completely breaking the system.

Later, Paillier generalised the Okamoto-Uchiyama cryptosystem using N², the square of a standard composite modulus. The underlying problem used to prove the scheme is the N-th residuosity assumption. (See Pascal Paillier. Public-key cryptosystems based on composite degree residuosity classes. In EUROCRYPT, pages 223-238, 1999.)

Other applications of the more general theory of characters and residuosity can be found also in works by Monnerat and Vaudenay in the domain of undeniable signatures. (See Jean Monnerat, Yvonne Anne Oswald, and Serge Vaudenay. Optimization of the mova undeniable signature scheme. In Dawson and Vaudenay [9], pages 196-209; Jean Monnerat and Serge Vaudenay. Generic homomorphic undeniable signatures. In Pil Joong Lee, editor. Advances in Cryptology—ASIACRYPT 2004, Proceedings, volume 3329 of Lecture Notes in Computer Science. Springer, 2004, pages 354-371; and Jean Monnerat and Serge Vaudenay. Undeniable signatures based on characters: How to sign with one bit. In F. Bao et al., editors, Public Key Cryptography—PKC 2004, volume 2947 of Lecture Notes in Computer Science, pages 69-75. Springer-Verlag, 2004.) In these works, the authors focus on character of order 2, 3 and 4. The authors also provide an analysis and a classification of the problems related to the security of their schemes. Using the general theory of character in building cryptosystem appears also in “Undeniable signatures . . . ” already mentioned and in a work by Renate Scheidler and Hugh C. Williams: A public-key cryptosystem utilizing cyclotomic fields. Des. Codes Cryptography, 6(2):117-131, 1995.

It can therefore be appreciated that there is a need for a solution that improves the Goldwasser-Micali scheme in that it improves the bandwidth while remaining proved secure under standard hardness assumption. This invention provides such a solution.

SUMMARY OF INVENTION

In a first aspect, the invention is directed to a method of encryption of a k-bit plaintext m. A device obtains plaintext m, picks a random x∈Z_(N) ^(*), generates ciphertext c=y^(m)x² ^(k) mod N, and outputs the ciphertext. N is a multiple of a product of two prime numbers p and q and N is not a square, y is an element in multiplicative group Z_(N) ^(*) of integers modulo N, k is an integer larger than 1 and exactly one value of

$\left( \frac{- 1}{p} \right)_{2^{k}}\mspace{14mu} {and}\mspace{14mu} \left( \frac{- 1}{q} \right)_{2^{k}}$

is equal to 1 and the other one is equal to −1, where

$\left( \frac{a}{p} \right)_{2^{k}} = \; {a^{\frac{p - 1}{2^{k}}}{mod}\mspace{14mu} {p.}}$

In a first preferred embodiment, N=pq.

In a second aspect, the invention is directed to a method of decryption of a ciphertext c generated according to the method of the first aspect. A device obtains ciphertext c and private key p, recovers m∈{0, . . . , 2^(k)−1} such that

$\left\lbrack \left( \frac{y}{p} \right)_{2^{k}} \right\rbrack^{m} = {\left( \frac{c}{p} \right)_{2^{k}}\left( {{mod}\mspace{14mu} p} \right)}$

holds, and outputs plaintext m.

$\left( \frac{a}{p} \right)_{2^{k}}$

denotes the 2 ^(k)-th power residue symbol modulo p, which is defined as

$\left( \frac{a}{p} \right)_{2^{k}} = \; {a^{\frac{p - 1}{2^{k}}}{mod}\mspace{14mu} {p.}}$

In a first preferred embodiment, the recovery of plaintext m=(m_(k−1), . . . ,m₀)₂ is performed by the following steps:

1. m ← 0; B ← 1 2. for i = 1 to k do 3. $\left. z\leftarrow\left( \frac{c}{p} \right)_{2^{i}} \right.;\left. t\leftarrow{\left\lbrack \left( \frac{y}{p} \right)_{2^{i}} \right\rbrack^{m}\mspace{14mu} {mod}\mspace{14mu} p} \right.$ 4. if (t ≠ z) then m ← m + B 5. B ← 2B 6. end for 7. return m

In a third aspect, the invention is directed to a device for encryption of a k-bit plaintext m. The device comprises a processor adapted to obtain plaintext m, pick a random x∈Z_(N) ^(*), generate ciphertext c=y^(m)x² ^(k) mod N, and output the ciphertext. N a multiple of a product of two prime numbers p and q and N is not a square, y is an element in multiplicative group Z_(N) ^(*) of integers modulo N, k is an integer larger than 1 and exactly one value of

$\left( \frac{- 1}{p} \right)_{2^{k}}\mspace{14mu} {and}\mspace{14mu} \left( \frac{- 1}{q} \right)_{2^{k}}$

is equal to 1 and the other one is equal to −1, where

$\left( \frac{a}{p} \right)_{2^{k}} = \; {a^{\frac{p - 1}{2^{k}}}{mod}\mspace{14mu} {p.}}$

In a first preferred embodiment, N=pq.

In a fourth aspect, the invention is directed to a device method of decryption of a ciphertext c generated according to the method of the first aspect. The device comprises a processor adapted to obtain ciphertext c and private key p, recover m∈{0, . . . , 2 ^(k)−1} such that

$\left\lbrack \left( \frac{y}{p} \right)_{2^{k}} \right\rbrack^{m} = \; {\left( \frac{c}{p} \right)_{2^{k}}\left( {{mod}\mspace{14mu} p} \right)}$

holds, and output plaintext m.

In a fifth aspect, the invention is directed to a computer program product having stored thereon instructions that, when executed by a processor, performs the method of any one of the embodiments of the method of the first aspect.

In a sixth aspect, the invention is directed to a computer program product having stored thereon instructions that, when executed by a processor, performs the method of any one of the embodiments of the method of the second aspect.

BRIEF DESCRIPTION OF DRAWINGS

Preferred features of the present invention will now be described, by way of non-limiting example, with reference to the accompanying drawings, in which FIG. 1 illustrates an apparatus for performing an exponentiation resistant against skipping attacks according to a preferred embodiment of the invention.

DESCRIPTION OF EMBODIMENTS

For illustrative purposes, the present invention will be described as applied to the square-and-multiply algorithm, but the skilled person will appreciate that it may easily be modified to any other exponentiation algorithm.

A generic public-key encryption scheme may be defined as follows:

-   -   A public key encryption scheme is a tuple of polynomial         probabilistic algorithms (KeyGen, Encrypt, Decrypt):     -   KeyGen(·) takes as input a security parameter K and outputs a         pair (pk, sk) containing the public and the secret key.     -   Encrypt(·,·): performs encryption. Takes as input a plaintext m         and a public key pk; outputs the ciphertext c=Encrypt(pk, m).     -   Decrypt(·,·): a deterministic decryption algorithm that takes as         input a ciphertext c and a secret key sk; outputs the plaintext         m.

The public-key encryption scheme of the present invention works as follows.

KeyGen(K): On input security parameter K, KeyGen generates an integer k>1 and two random primes p, q≡1 (mod 2^(k)) and forms N=pq. KeyGen also defines y∈Z_(N) ^(*) such that y∈J₂(N)\QR(N). The skilled person will appreciate that q is not necessarily prime, but that it may for example be a product of primes or a power of a prime. It is preferable that q does not equal p; N is preferably difficult to factorize.

For an integer a co-prime to N=pq, the Jacobi symbol is defined as the product of the corresponding Legendre symbols, namely

$\left( \frac{a}{N} \right) = {\left( \frac{a}{p} \right){\left( \frac{a}{q} \right).}}$

This gives rise to the set J₂(N) of integers whose Jacobi symbol is 1,

${J_{2}(N)} = {\left\{ {\left. {a \in Z_{N}^{*}} \middle| \left( \frac{a}{N} \right) \right. = 1} \right\}.}$

QR(N) is the subset of quadratic residues modulo N,

${{QR}(N)} = {\left\{ {\left. {a \in Z_{N}^{*}} \middle| \left( \frac{a}{p} \right) \right. = {\left( \frac{a}{q} \right) = 1}} \right\}.}$

It is preferred that exactly one value of

$\left( \frac{- 1}{p} \right)_{2^{k}}\mspace{14mu} {and}\mspace{14mu} \left( \frac{- 1}{q} \right)_{2^{k}}$

is equal to 1 and the other one is equal to −1, where

${\left( \frac{a}{p} \right)_{2^{k}} = \; {a^{\frac{p - 1}{2^{k}}}{mod}\mspace{14mu} p}},$

that is either

$\left( \frac{- 1}{p} \right)_{2^{k}} = \; {{1\mspace{14mu} {and}\mspace{14mu} \left( \frac{- 1}{q} \right)_{2^{k}}} = {{{- 1}\mspace{14mu} {or}\mspace{14mu} \left( \frac{- 1}{p} \right)_{2^{k}}} = \; {{{- 1}\mspace{14mu} {and}\mspace{14mu} \left( \frac{- 1}{q} \right)_{2^{k}}} = \; 1.}}}$

The public key is pk={N, y, k} and the private key is sk={p}.

Encrypt(pk, m): Input is plaintext message m∈{0, . . . , 2^(k)−1}. Encrypt outputs the encryption of message m under public key pk={N, y, k}. Ciphertext c=Encrypt(pk, m) is computed as follows:

-   -   pick a random x∈Z_(N) ^(*); and     -   set c=y^(m)x² ^(k) mod N.

Decrypt(sk, c): Decrypt recovers the plaintext m from the input ciphertext c using private key sk={p} and outputs the plaintext m, by:

1. computing

${z = \left( \frac{c}{p} \right)_{2^{k}}};$

2. finding m∈{0, . . . , 2^(k)−1} such that

$\left\lbrack \left( \frac{y}{p} \right)_{2^{k}} \right\rbrack^{m}\; = {z\mspace{11mu} \left( {{mod}\mspace{14mu} p} \right)}$

holds, wherein

$\left( \frac{y}{p} \right)_{2^{k}}$

denotes the 2 ^(K)-th power residue symbol modulo p, which is defined as

$\left( \frac{y}{p} \right)_{2^{k}} = \; {y^{\frac{p - 1}{2^{k}}}{mod}\mspace{14mu} {p.}}$

For a small value of k an exhaustive search is feasible to recover m. However, for larger values of k, it may be more efficient to proceed as follows:

Input: c, p, y Output: m = (m_(k−1), . . . , m₀)₂ 1. m ← 0; B ← 1 2. for i = 1 to k do 3. $\left. z\leftarrow\left( \frac{c}{p} \right)_{2^{i}} \right.;\left. t\leftarrow{\left\lbrack \left( \frac{y}{p} \right)_{2^{i}} \right\rbrack^{m}\mspace{14mu} {mod}\mspace{14mu} p} \right.$ 4. if (t ≠ z) then m ← m + B 5. B ← 2B 6. end for 7. return m

FIG. 1 illustrates a device according to a preferred embodiment of the present invention. The device 100 comprises at least one interface unit 110 adapted for communication with other devices (not shown), at least one processor 120 and at least one memory 130 adapted for storing data, such as accumulators and intermediary calculation results.

In a first preferred embodiment, the processor 120 is adapted to encrypt plaintext m using the encryption method described herein. In a second preferred embodiment, the processor 120 is adapted to decrypt ciphertext c using any of the embodiments of the decryption method described herein. In a third preferred embodiment, the processor 120 is adapted to encrypt a plaintext m and to decrypt a ciphertext c. A computer program product 140 such as a CD-ROM or a DVD comprises stored instructions that, when executed by the processor 120, performs the method according to any of the embodiments of the invention, i.e. encryption, decryption or both encryption and decryption.

It will be appreciated that the public-key encryption system of the embodiments of the present invention can provide a scheme that:

-   -   is proved secure under standard hardness assumption;     -   provides better bandwidth than Goldwasser-Micali.     -   is homomorphic: the product of ciphertexts for a number of         plaintexts is the encryption of the sum of the plaintexts;     -   allows a compact description of the public key owing to the         particular choice of primes p and q.

Each feature disclosed in the description and (where appropriate) the claims and drawings may be provided independently or in any appropriate combination. Features described as being implemented in hardware may also be implemented in software, and vice versa. Reference numerals appearing in the claims are by way of illustration only and shall have no limiting effect on the scope of the claims. 

1. A method of encryption of a k-bit plaintext m, the method being performed in a device comprising a processor and comprising. obtaining plaintext m; picking a random x∈Z_(N) ^(*); generating ciphertext c=y^(m)x² ^(k) mod N; and outputting the ciphertext; wherein N is a multiple of a product of two prime numbers p and q being equal to 1 (mod 2^(k)) and N is not a square; y is an element in multiplicative group Z_(N) ^(*) of integers modulo N and y∈J₂(N)\QR(N); and k is an integer larger than
 1. 2. The method of claim 1, wherein N=pq.
 3. A method of decryption of a ciphertext c generated according to the method of claim 1, the method being performed in a device comprising a processor and comprising: obtaining ciphertext c and private key p equal to 1(mod 2^(k)); recovering m∈{0, . . . , 2^(k)−1} such that ${\left\lbrack \left( \frac{y}{p} \right)_{2^{k}} \right\rbrack^{m} = {\left( \frac{c}{p} \right)_{2^{k}}\left( {{mod}\mspace{14mu} p} \right)}}\;$ holds; and outputting plaintext m; wherein $\left( \frac{a}{p} \right)_{2^{k}}$ denotes the 2^(k)-th power residue symbol modulo p, which is defined as $\left( \frac{a}{p} \right)_{2^{k}} = \; {a^{\frac{p - 1}{2^{k}}}{mod}\mspace{14mu} {p.}}$
 4. The method of claim 3, wherein the recovery of plaintext m=(m_(k−1), . . . ,m₀)₂ is performed by the following steps, wherein B, t and z are variables:
 1. m ← 0; B ← 1
 2. for i = 1 to k do
 3. $\left. z\leftarrow\left( \frac{c}{p} \right)_{2^{i}} \right.;\left. t\leftarrow{\left\lbrack \left( \frac{y}{p} \right)_{2^{i}} \right\rbrack^{m}\mspace{14mu} {mod}\mspace{14mu} p} \right.$
 4. if (t ≠ z) then m ← m + B
 5. B ← 2B
 6. end for
 7. return m


5. A device for encryption of a k-bit plaintext m, the device comprising a processor configured to: obtain plaintext m; pick a random x∈Z_(N) ^(*); generate ciphertext c=y^(m)x² ^(k) mod N; and output the ciphertext; wherein N is a multiple of a product of two prime numbers p and q being equal to 1 (mod 2 ^(k)) and N is not a square; y is an element in multiplicative group Z_(N) ^(*) of integers modulo N and y∈J₂(N)\QR(N)
 6. The device of claim 5, wherein N=pq.
 7. A device of decryption of a ciphertext c generated according to the method of claim 1, the device comprising a processor configured to: obtain ciphertext c and private key p equal to 1 (mod 2^(k)); recover m∈{0, . . . , 2^(k)−1} such that ${\left\lbrack \left( \frac{y}{p} \right)_{2^{k}} \right\rbrack^{m} = {\left( \frac{c}{p} \right)_{2^{k}}\left( {{mod}\mspace{14mu} p} \right)}}\;$ holds; and output plaintext m.
 8. A non-transitory computable readable storage medium having stored thereon instructions that, when executed by a processor, performs the method of claim
 1. 9. A non-transitory computable readable storage medium having stored thereon instructions that, when executed by a processor, performs the method of claim
 3. 